Manualshelf

HP OSMS Blueprint: Directory Services on HP ProLiant Servers with SLES10

ManualsBrandsHP ManualsSoftwareHP Linux Caliper Software Electronic LTU
21222324252627282930
Using TLS
TLS is almost identical to SSL. It provides lower network security services and integrity and
confidentiality protections for directory servers. Combined with the EXTERNAL mechanism of
SASL, TLS can offer strong authentication.
TLS uses the X.509 certificates to carry client and server identities. All servers must have valid
certificates, but client certificates are optional. If SASL EXTERNAL is used for authentication,
clients must own valid certificates as well. All certificates can be created and managed by the
cpksca package provided by CDS.
Configuring TLS for Network Encryption
1. To verify the cpksca package has been installed on the Certificate Authority (CA) server,
which might be the same machine as the CDS server, enter the following command:
# rpm -qa|grep cpksca
If the cpksca package is not found, download the appropriate version for the cpksca
package from the OSMS distribution and use the rpm command to install.
2. Edit the cds.conf file in the CDS server and make CDS listen on port 636 with the LDAPS
protocol by entering the following command to replace the host name or IP address of the
CDS server:
HOST_LIST="ldap://<CDS_SERVER_IP_OR_HOSTNAME>:389/
ldaps://<CDS_SERVER_IP_OR_HOSTNAME>:636/"
3. Create a new CA file on the CA server by entering the following command:
# /opt/symas/bin/CA.sh -newca
NOTE: A CA is only valid for one year. All certificates signed by this CA become invalid
on the date this CA expires.
4. Enter the full CA server name as Common Name at the appropriate prompts.
Document the PEM pass phrase because it is required when you try to sign a server certificate.
By default, the CA file, cacert.pem, is created in /opt/symas/ssl/
5. Copy the CA file created in step 3 to both the CDS client and the CDS server. For both
machines, place the file in the /opt/symas/ssl/ directory.
6. Edit the ldap.conf file on the CDS client by setting TLS_CACERT to the path of the CA
file as follows:
TLS_CACERT /opt/symas/ssl/cacert.pem
7. Edit the slapd.conf file on the CDS server to set the value of TLSCACertificateFile
as follows:
TLSCACertificateFile /opt/symas/ssl/cacert.pem
8. Generate a certificate for the CDS server by entering the following command:
# /opt/symas/bin/CA.sh -newreq
9. At the appropriate prompts, enter the fully qualified domain name of the CDS server as
Common Name. By default, the certificate request and a private key are stored in a new file
named newreq.pem.
10. Sign the certificate created in step 8 by entering the following command:
# /opt/symas/bin/CA.sh -signreq
When prompted for the the PEM pass phrase, enter the phrase from step 4. After two
confirmations, a signed certificate is created in the file newcert.pem.
Setting up Security for the CDS Server 25